Add trusted publishing

- Publish to npmjs.org from tags.
- Pin GitHub Actions by Git SHA.
- Refactor permissions.

Author: martincostello

.github/workflows/build.yml

@@ -3,6 +3,7 @@ name: build
 on:
   push:
     branches: [ dev ]
+    tags: [ '*' ]
     paths-ignore:
       - '**/*.gitattributes'
       - '**/*.gitignore'
@@ -11,33 +12,47 @@ on:
     branches: [ dev ]
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   build:
     name: build
     runs-on: ubuntu-latest
 
+    permissions:
+      contents: read
+      id-token: write
+
     steps:
 
     - name: Checkout code
-      uses: actions/checkout@v4
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        filter: 'tree:0'
+        persist-credentials: false
+        show-progress: false
 
     - name: Setup Node
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: '22.x'
+        registry-url: 'https://registry.npmjs.org'
 
     - name: Install packages
       run: |
         npm ci
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
       with:
         dotnet-version: '9.0.x'
 
     - name: Test
       run: |
         npm test
+
+    - name: Publish
+      if: |
+        github.event.repository.fork == false &&
+        startsWith(github.ref, 'refs/tags/')
+      run: npm publish